The LGBTQ dating app Grindr has been caught sharing users’ sensitive data with thousands of ad partners, reports Bloomberg. That’s according to a study from the Norwegian Consumer Council. The NCC’s report says Grindr uses Twitter’s ad subsidiary MoPub to funnel the personal information of Grindr users to ad partners.

The data includes a Grindr user’s location, age, gender, and sexual orientation, which malicious individuals or parties could then use to identify and target LGBTQ people. As a result of its findings, the NCC and European privacy advocate Max Schrems has filed no fewer than three complaints against Grindr and five ad-tech companies. Those complaints were filed with the Norwegian Data Protection Authority, and they allege Grindr’s sharing of personal data breaches the EU’s GDPR privacy rules.

A representative from Twitter told Bloomberg the company is working to “understand the sufficiency of Grindr’s consent mechanism” and in the meantime has disabled Grindr’s MoPub account. If Grindr is found to be in violation of GDPR rules, the popular app could face fines totaling up to 4% of the company’s global annual revenue. Yet those fines wouldn’t address the underlying issue: that thousands of ad partners have identifiable data on millions of LGBTQ users who could be targeted for hate crimes should such data ever be leaked.